This is not just nice, this is needed for the support person and/or system administrator. See bad password count, when the password was last changed and when it will expire and other useful stuff with this handy "add-on" to the user account properties. You can use ADSI Edit of course, but far from all are used to it (or even know it exists).
First off, download this file: acctinfo.dll
SHA-1: 5e2dd255a20e2b98a339450367499730fef24cc7
SHA-256: 7c9c9e525b5156dac288f7228584f190a3d1a3ade58f382a2598012894156f7a
Then copy the file to the %systemroot%\system32 folder.
Click Start > Run and enter the following command:
regsvr32 %systemroot%\system32\acctinfo.dll
Now close and then open Active Directory Users and Computers, and open properties of a user object.
There should be an extra tab called Additional Account Info.
This is per machine and needs to be done on all machines you want this tab on and make sure you have the proper permissions to register services on that/those machines. But if you administer Active Directory I assume you already have them. I also noticed that this tab does not show if you open the user object properties from a search window.
If you for some reason do not like this extra tab, you can unregister the dll:
regsvr32 /u %systemroot%\system32\acctinfo.dll
You will get info like this on the tab:
As administrator of Active Directory you probably want control over all accounts with passwords that never expire.
These should be service accounts and they should be restricted and stripped of all the privileges they do not need to fulfill the task assigned to them.
The LDAP query to list all accounts with non-expiring passwords look like this:
(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))
Just copy/paste the query string above into your favourite LDAP browser and you should get the list of locked out accounts.
Check this out to get more info from Active Directory!
Accounts can be locked out for many different reasons. The user might have forgotten the password, the password might have been changed but services on other machines are still using the old password and so forth. Another reason, and the reason you should fear the most, is that someone is trying to break in. Hence we want to keep an eye out if there is any accounts that keep getting locked out.
The LDAP query to list all locked out accounts look like this:
(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))
Just copy/paste the query string above into your favourite LDAP browser and you should get the list of locked out accounts.
Check this out to get more info from Active Directory!
When investigating problems in your Windows network you might sometimes want to know which Domain Controller authenticated a logon request for the machine you are troubleshooting. Look no further!
Open a command prompt and type:
SET L (no need for uppercase, it is just to clarify)
The result may vary depending on OS and if you log on localy or to a domain, but you should definately get something like this:
LOGONSERVER=\\'machine name'
There we are, depending on what you need the information for it might be a good idea to resolve this machine name to see if the machine you are working on get the correct IP address.